Overview of Networks and Security
Connections Between Client Devices and SGD Servers
Connections Between SGD Servers and Application Servers
UNIX or Linux System Application Servers
Microsoft Windows Application Servers
Connections Between SGD Servers in an Array
Configuring External DNS Names
How to Configure the External DNS Names of an SGD Server
Configuring Client Proxy Settings
Determining Proxy Settings From a Browser
Specifying Proxy Settings in the Client Profile
Using Proxy Server Automatic Configuration Scripts
Configuring Server-Side Proxy Servers
Firewalls Between Client Devices and SGD Servers
Firewalls Between SGD Servers and Application Servers
Secure Connections to SGD Servers
Supported Certificate Authorities
Using an SSL Certificate Obtained for Another Product
How to Generate a Certificate Signing Request
How to Replace a Server SSL Certificate
Enabling Secure Connections (Automatic Configuration)
How to Enable Secure Connections (Automatic Configuration)
Enabling Secure Connections (Manual Configuration)
How to Install a Server SSL Certificate
How to Install the CA Certificate for an Unsupported CA
How to Install a CA Certificate Chain
How to Configure Firewall Forwarding
How to Enable SGD Security Services for an SGD Server
Secure Connections and Security Warnings
Browser and Java Plugin Tool Security Warnings
SGD Server SSL Certificate Security Warnings
Untrusted Initial Connection Warnings
Using a Preconfigured hostsvisited File
Avoiding Issuer Unknown Security Warnings
Tuning Secure Connections to SGD Servers
How to Tune SSL Daemon Processes
How to Change SSL Daemon Log Filters
How to Change SSL Daemon Maximum Restart Attempts
Using External SSL Accelerators
How to Enable External SSL Accelerator Support
Selecting a Cipher Suite for Secure Connections
How to Change the Cipher Suite for Secure Client Connections
How to Enable Connection Definition Processing
How to Configure Connection Definitions
3. Publishing Applications to Users
7. SGD Servers, Arrays, and Load Balancing
B. Secure Global Desktop Server Settings
The following are the main Domain Name System (DNS) requirements for SGD:
Hosts must have DNS entries that can be resolved by all clients.
DNS lookups and reverse lookups for a host must always succeed.
All client devices must use DNS.
SGD servers can have multiple DNS names. Each SGD server has one peer DNS name, and one or more external DNS names.
Note - When configuring SGD, it is best to use fully-qualified DNS names.
A peer DNS name is the DNS name that the SGD servers in the array use to identify themselves to each other. For example, boston.example.com.
An external DNS name is the DNS name that the SGD Client uses to connect to an SGD server. For example, www.example.com.
These two types of DNS names might be associated with the same network interface on the SGD host, or they might each use a different network interface. These DNS names must be fully-qualified DNS names.
When you install SGD you are prompted for a DNS name for the SGD server. This must be the peer DNS name that is used inside the firewall. This is the DNS name that the SGD web server binds to.
After installation, you can configure each SGD server with one or more external DNS names. The external DNS name is used by the SGD Client when it connects to an SGD server. By default, the peer DNS name is also used as an external DNS name.
In a network containing a firewall, you might need to make some names usable outside the firewall, for example across the Internet, and others usable inside the firewall. For example, users outside the firewall might be able to use www.example.com, but not boston.example.com. Users inside the firewall might be able to use either name.
![]() | Caution - You do not have to make all your SGD servers available outside the firewall. However, if users log in to an SGD server from both inside and outside the firewall, they might not be able to resume some applications when logging in from outside the firewall. |
If you use the SGD Gateway, client devices do connect directly to SGD, instead they connect using the DNS name of a Gateway or load balancer. External DNS names are only used for direct client connections that are not routed through the Gateway. Instructions on how to install, configure, and use the Gateway are included in the Oracle Secure Global Desktop 4.6 Gateway Administration Guide.
If you are using mechanisms such as an external hardware load balancer or
round-robin DNS to control the SGD server that a user connects to, you
must configure SGD to work with these mechanisms, see User Session Load Balancing.
This section includes the following topics:
When an SGD Client connects directly to an SGD server, it connects using the external DNS name provided by the SGD server. The actual DNS name used is determined using the Internet Protocol (IP) address of the client.
If you use the SGD Gateway, external DNS names are only used for direct client connections that are not routed through an SGD Gateway.
You configure external DNS names by setting one or more filters that match client IP addresses to DNS names. Each filter has the format Client-IP-Pattern:DNS-Name
The Client-IP-Pattern can be either of the following:
A regular expression matching one or more client device IP addresses, for example 192.168.10.*
A subnet mask expressed in the number of bits to match one or more client device IP addresses, for example 192.168.10.0/22
SGD servers can be configured with several filters. The order of the filters is important because SGD uses the first matching Client-IP-Pattern.
![]() | Caution - If SGD is configured for firewall forwarding, you cannot use multiple external DNS
names because SGD cannot determine the IP address of the client device. In
this situation, you can configure a single external DNS name, for example *:www.example.com, and
then use split DNS so that clients can resolve the name to
different IP addresses, depending on whether they are inside or outside the firewall. See
|
The following is an example of external DNS names configuration:
"192.168.10.*:boston.example.com,*:www.example.com"
With this configuration, the following applies:
Clients with IP addresses beginning 192.168.10 connect to boston.example.com.
All other clients connect to www.example.com.
If the order of the filters is reversed, all clients connect to www.example.com.
Ensure that no users are logged in to the SGD server and that there are no running application sessions, including suspended application sessions.
The General tab displays.
Each filter matches client IP addresses to DNS names.
Press the Return key after each filter.
The format of each filter is described in Configuring External DNS Names.
The order of the filters is important. The first match is used.
You must restart the SGD server for the external DNS names to take effect.
You can change the peer DNS name of an SGD server without having
to reinstall the software, see How to Change the Peer DNS Name of an SGD Server.
You must detach an SGD server from an array and stop SGD before changing its peer DNS name.
After changing the DNS name, the /opt/tarantella/var/log/SERVER_RENAME.log file contains the details of the changes that were made. Your existing server security certificates are backed up in the /opt/tarantella/var/tsp.OLD.number directory.
If you use an SGD server as an application server, you must manually reconfigure the application server object by changing the DNS name for the application server and, optionally, renaming the object.
If you have installed SGD printer queues on UNIX or Linux platform application
servers, you might have to remove the printer queue that uses the old
DNS name of the SGD server, and configure a new printer queue that
uses the new DNS name of the SGD server. See Configuring UNIX and Linux Platform Application Servers for Printing.
Ensure that no users are logged in to the SGD server and that there are no running application sessions, including suspended application sessions.
You can only change the peer DNS name from the command line.
If you are changing the peer DNS name of the primary SGD server, first make another server the primary server and then detach the server.
# tarantella array detach --secondary serv
Run the tarantella status command on the detached server to check that is detached from the array.
Check your DNS configuration and ensure that the other SGD servers can resolve the new DNS name. You might also have to edit the /etc/hosts and the /etc/resolv.cnf files on the SGD host.
Use the following command:
# tarantella serverrename --peerdns newname [ --extdns newname ]
It is best to use fully-qualified DNS names.
Use the --extdns option to change the external DNS name of the server.
This option only works if the SGD server has a single external DNS
name. If the server has more than one external DNS name, you must
manually update the external DNS names. See Configuring External DNS Names.
When prompted, type Y to proceed with the name change.
# tarantella security keystoregen
For details about secure intra-array communication, see Secure Intra-Array Communication.
If you are using the SGD Gateway, you must install the new peer Certificate Authority (CA) certificate on each SGD Gateway.
If the new peer DNS name is not included in the SSL
certificate used by the SGD server you must replace the certificate, see How to Replace a Server SSL Certificate.
If you are using the SGD Gateway, you must install the new server SSL certificate on each SGD Gateway.
The clock on the server joining the array must be in synchronization with the clocks on the other servers in the array. If the time difference is more than one minute, the array join operation fails.
# tarantella array join --primary p-serv --secondary s-serv